Top 3 Microsoft Office Exploits Hackers Are Using in 2025—and How to Stop Them

1st April 2025 | Advisory, Blog

In 2025, hackers continue to exploit office files, making them a top attack vector for cybercrime. Understanding these exploits helps you safeguard your organization’s data, devices, networks, and reputation. Here are the top three Microsoft Office-based exploits actively in use and key strategies to defend against them.

1. Phishing via Malicious Office Documents

Phishing attacks involving Microsoft Office files continue to be prevalent due to their ubiquity and effectiveness. Attackers send fake invoices or reports as Word or Excel files to trick recipients into opening malicious attachments. Many times these emails arrive from someone you know; their email has been compromised (Business Email Compromise). Users who open the attachment are prompted to enable macros or click links. These lead to fake sites that steal credentials or session tokens. Another attack vector sends a QR code as gift certificates. When scanned users visit a malicious website which steals their credentials, session tokens, or initiate malware download.

Defense Strategies:

User Training: Educate employees on recognizing phishing attempts and the dangers of enabling macros or following unsolicited links.
Use Email Security Gateways with Attachment Sandboxing: Deploy an email security solution that analyzes attachments in a sandbox before delivery. This isolates and detonates potentially malicious Office files to observe their behavior safely.
Prevent Token Theft (Advanced Strategy): This reddit thread provides expensive (but easier) and less expensive (but complicated) measures to combat session token theft in O365.

The above measures focus on exploiting end users through social engineering. They take advantage of the ubiquity of email, attachments, and trusted relationships with known parties. There is another vector of attack here; exploiting missing patches on end user systems. Microsoft released patches for these exploits, but many systems remain unpatched.

2. CVE-2017-11882: The Persistent Equation Editor Vulnerability

Hackers still exploit CVE-2017-11882 in outdated Office versions, despite patches released back in 2017. The Equation Editor flaw lets attackers run code when users open malicious documents without additional clicks. Exploits leveraging this vulnerability often deliver malware like Agent Tesla, an information-stealing Remote Access Trojan (RAT).

Defense Strategies:

Disable Macro’s by Default: Most Office-based malware relies on VBA macros. Configure Group Policy or use Office Trust Center settings to disable all macros, especially those with notification prompts.
Sandbox Analysis: As outlined previously above, attachment sandboxing and detonating attachments is an effective strategy to safely analyze suspicious documents and links.
Implement Attachment File Type Filtering: in addition to disabling macro’s, you should always block or quarantine risky attachment types like .docm, .xlsm, .hta, and .js at the email gateway or endpoint. Only allow commonly used formats like .docx or .xlsx that don’t support embedded macros.
Patch Management: Ensure all Microsoft Office installations are updated with the latest security patches.
Remove Administrative Access and deploy Endpoint Protection: Removing Administrative Rights from everyday usage prevents certain exploits from exploiting a device. Add robust Endpoint Detection and Response (EDR) solutions to identify and block exploit attempts.

Moving on from common attachment exploits, the 3rd actively used exploit in 2025 only requires a single end user click on a malicious file.

3. CVE-2022-30190: The “Follina” Exploit

The “Follina” vulnerability (CVE-2022-30190) exploits the Microsoft Support Diagnostic Tool (MSDT) via specially crafted Office documents. Attackers embed malicious URLs inside Office documents. When users open them, the URLs trigger remote code execution without macros. This exploit has been used to deploy various payloads, including those concealed through steganography—hiding malicious code within image files.

Defense Strategies:

Component Removal: Disable or remove all unnecessary components from your Windows deployments including the Equation Editor mentioned above, and restrict the use of MSDT URL protocol to prevent its exploitation through Office documents.

Run cmd as administrator, and type: reg delete HKEY_CLASSES_ROOTms-msdt /f

Security Updates: Fully patched systems are no longer exploitable by this Follina vulnerability. Ensure your patch management solution includes Microsoft Office patching (must be configured to do so) in addition to operating system patching.
Use Attack Surface Reduction (ASR) Rules: If you’re using Microsoft Defender for Endpoint, enable ASR rules to block Office from launching child processes like msdt.exe.Recommended rule: “Block all Office applications from creating child processes.”
Set via Intune, Group Policy, or PowerShell:
```
Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
```

Conclusion

The enduring exploitation of Microsoft Office vulnerabilities underscores the necessity for continuous proactive security measures. Regularly updating software, educating users, and implementing advanced threat detection mechanisms are essential steps in defending against these persistent threats. By staying informed about current exploit techniques and maintaining robust cybersecurity practices, organizations can mitigate the risks associated with malicious Office documents.

Secure your business with CyberHoot Today!!!

Not ready to sign up yet, but want to learn more? Attend our monthly webinar to see a demo of CyberHoot, ask questions, and learn what’s new. Click the Green Box below to Register. You want to, I can feel it!

Webinar Registration